The vulnerabilities, most of which were stored and reflected cross-site scripting (XSS) issues, ended up reported by Vulnerability Lab in January, February and May and the vendor has since patched them.

A majority of the flaws were in the web interface of the Fortinet FortiManager and FortiAnalyzer security management and reporting appliances.

The weaknesses can end up exploited by a remote attacker with access to a low-privileged user account to inject arbitrary code into the application, said researchers at Vulnerability Lab. Exploitation requires the victim to click on a link or visit a certain page containing the malicious code.

A filter bypass and multiple persistent XSS vulnerabilities were also in Fortinet’s FortiVoice enterprise phone systems. A remote authenticated attacker could exploit the issues flaws.